28 Oct
2015
28 Oct
'15
4:10 p.m.
Hi Cory,
thank you for this info. It makes perfect sense.
Am 27.10.2015 um 21:37 schrieb Cory (NQ1E):
The oldest of the three LotW root CAs hasn't been
in-use for several
years and can be discarded. I think I heard that they lost the
private key for it, or something silly like that.
Bad things happen ...
The second one is their SHA1 root CA cert that
they've been using up
until this year, but should be kept around for a while because some
people still have call sign certs in that chain. Since call sign
certs are only signed for two years, you can discard that root CA too
once the existing call sign certs expire.
I guess this is the cert with serial
0xe7b27ba978517c65
as Heikki has shown. So it looks like it still also is the current
active cert that the OpenVPN ist tested against.
The lastest LotW root CA was created this year using
modern crypto
tech. It was necessary because it's expected that SHA1 will be broken
within a few year, so everyone's in a hurry to move away from it.
Ok, and this is the cert of the CA that was used to sign my certificate.
I guess this is my problem, no?
Roland
--
_________________________________________
_ _ | Roland Schwarz
|_)(_ |
| \__) | mailto:roland.schwarz@blackspace.at
________| http://www.blackspace.at